I used scriptlogic's other security-explorer products for a large AD redesign a couple of years ago and had a bug they could not repro which rendered the product unusable in my case. While the product would have been ideal if it had worked for me, as a potential client their end-user support I found disappointing in my case.
But that may be a once-off incident. Anyway, the first thing in large AD deployments is that 'best practice' isn't always best at large scales. The theory will tell you to create AD groups and add them to SharePoint groups, but if you are putting in SharePoint to decentralise the administration and delegation of content admin, then this is not going to help you. So as a former AD specialist, I actually have no fundamental objections to adding user accounts directly into SharePoint groups - particularly team portals where there is a designated 'site administrator' that has enough rights to manage access. This is purely a philosophical decision (as is many SharePoint decisions) However, if you are of the philosophy that the IT "thought police" should stay in control of access, then it makes sense to manage it via Active Directory. Additionally, one AD redesign I did also had adopted the 'best practice' of "local groups", with "global groups" as members of the local groups. However because of a complex filesystem, there were 350 AD groups for each project file structure (read, write, delete for subfolders with global and local groups.) Result? over 35000 groups in AD across all projects - scary. So many groups had issues with Kerberos authentication among other things. So I guess the first thing is to determine the type of site you are delivering and the philosophy around management of sites and delegation or centralisation of that management. Is this any help? Paul www.cleverworkarounds.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Noone Sent: Wednesday, 2 July 2008 10:51 AM To: listserver@ozMOSS.com Subject: [OzMOSS] SharePoint Groups and Permission Levels Hi guys, I've recently been tasked with providing a list of groups and permissions for a new MOSS site collection with a significant Active Directory. Does anyone have a no-nonsense approach to this? I've been looking for a table of SharePoint Groups and their applied Permission Levels but can't seem to find any detailed or practical information on this obviously important first step. I did come across what seems like a fantastic management tool once things are up and running though. Would be interested to know if anyone has experience with this. http://www.scriptlogic.com/products/security-explorer/sharepoint/ Kind regards, Paul _____ ____________________________________________________________________________ This e-mail is intended for the use of the addressed recipient(s) only and may contain confidential and privileged information. If you have received this message in error, please delete the message and any attachments and copies immediately; and notify the sender by return e-mail. Any views expressed in this message or any attachments are those of the individual sender and do not necessarily represent the corporate opinion of the Catholic Education Office (CEO), Sydney. The CEO Privacy Policy is located at http://www.ceo.syd.catholic.edu.au ____________________________________________________________________________ ------------------------------------------------------------------- OzMOSS.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. Powered by mailenable.com ------------------------------------------------------------------- OzMOSS.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. Powered by mailenable.com
